Are Enterprises Really Hacking the Hackers?

Wednesday, June 27, 2012

Rafal Los


Everyone's been talking about the hottest topic right now which is this recent story on the AP titled "Hacked companies fight back with controversial steps".  

I encourage you to read the article first, then read my analysis otherwise you may miss a few of the finer points of this discussion.

The big attention-grabbing statement is this one right across the top of the story - "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action."  

Now, if you read that statement and don't know any better, as is the case with about 90%+ of the readers of the Associated Press who aren't information security experts, you would think that these hacked companies are actually hiring hackers to go counter-hack their hackers.  This all sounds very... James Bond'ish... doesn't it?

As a colleague pointed out in confidence to me the other day, we both know security professionals who are probably doing this kind of dirty-work, which (even though I am not an attorney and wish to offer no legal advice) is likely highly illegal and what's more - difficult to accomplish without collateral damage.

Where this article goes awry is the confusion it generates - confusing "active defense" with "strike back technology" as the author puts it.  Those are, for those of us who are familiar with these concepts, completely different things.

Active defense, as the article tries to explain, is understood as... well... actively defending yourself.  Using technology which can confuse the attacker, mislead them to spend time on worthless parts of an application, or slow the response rate of the network or application down... that's active defense.  Actively dropping packets that are suspect, or malicious, that's active defense.

Striking back, as the story quotes the people from CrowdStrike (whom seem to be driving this silly story) seem to define it, involves actually going on the offensive and 'hacking the hackers'.  How and to whom does this sound like a good idea, and a sound investment of time?

Luckily, there is a beacon of hope offered here in the form of an opinion ... ""There is no business case for it and no possible positive outcome," said John Pescatore, a National Security Agency and Secret Service veteran who leads research firm Gartner's Internet security practice."  

This actually makes sense to me, as a rational and intelligent response... I can't even imagine the type of international incidents the potentially reckless type of "striking back" activity can cause!

Here it is in a nutshell folks, my personal opinion, focus on active defense if you're that advanced, but don't go on the offense... leave that up to the authorities who are legally allowed to track the bad guys.  

This isn't the wild west, and remember you can't just go track down a hacker using your own hacking techniques... because then what?  I can't imagine that evidence obtained by criminal means would be admissible in any court of law... right?

Be pragmatic.  Be smart.  Don't listen to confusing and sensational news stories driven by companies who want to make a name for themselves doing cool secret-agent work.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Incident Response Cyber Security Attacks Network Security hackers FUD Remediation Media Offensive Security Active Defense
Post Rating I Like this!
Jayson Wylie This one is really disturbing and perplexing to me. I don't doubt the notion is going through upper management chains and they might see this a a valid response.

It seems some security agencies are going to offer this as a service and that's a bit sketchy to me.

What happened to the basic two wrongs don't make a right? There is ethical hacking and there is criminal activity. I feel it boils down to being authorized.

Why does an attack and vendetta approach sound better the hiring a sec firm to attack the hell out of your own systems? That makes more sense to me and it's significantly less complex.

I am struggling with some of the current trends of security and especially the detachment of typical IS and IT security bodies and thinking.

IS may better think that counter attacking is a viable action.

IT security that performs the role of threat detection and will tell you that it's not as easy to track talented attackers.

Instead, lot's of malware like worms and Trojans hitting what they can. Many compromised web servers and other nodes like commonly infected hosts on the internet source attacks.

What about all those poor souls hosting LoICs and don't know anything about that?

Security professionals be very careful in championing this approach. It's not even about waking up a bear and being hit even harder or fighting fire with fire.

It's about upholding the law and ethics and understanding the laws and how to work within them to show a model of proper behavior in the profession to show example and not provide more cause for activity that is in the very basic illegal.

I hope, in this case, the rumors are highly exaggerated.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.